Exclusions

Exclusions allow you to exclude assets, artifacts and insights from generating incidents.

Note - These exclusions affect only the creation of incidents in Infinity XDRClosed Extended Detection & Response/XPRClosed Extended Prevention & Response and do not affect the policies of the on-boarded products.

Simple Exclusions

Simple exclusions allow you to exclude assets and artifacts, so that Infinity XDR/XPR excludes them from both current and future incidents. For example, an asset that represents an approved network scanner.

To create a Simple exclusion for the Infinity XDR/XPR incidents:

  1. Go to Policy > Exclusions.

  2. Click New.

    The New Exclusion window appears. The Simple exclusion tab is displayed by default.

  3. From the Field list, select the type of asset / artifact:

    • To add an exclusion for a machine:

      1. Select Host.

      2. In the Value field, enter the host name or the IP address.

    • To add an exclusion for an email address, select Email address and enter the email address.

    • To add an exclusion for a URL, select URL, and enter the URL.

    • To add an exclusion for a file MD5 key, select File MD5, and enter the file MD5 key.

    • To add an exclusion for IP address:

      1. Select IPv4.

      2. In the Value section:

        • To add single IP address, select Single and enter the IP address.

        • To add a range of IP address, select Range and enter the From and To IP address.

        • To add the IP address in CIDR, select CIDR and enter the Subnet and Prefix.

  4. (Optional) In the Expiration date (UTC) field, select an expiration date for the exclusion. After this date, Infinity XDR/XPR starts creating incidents for this asset/artifact. By default, there is no expiry date for an exclusion.

  5. (Optional) In the Exclusion comment section, enter a description about the exclusion.

  6. Click Create.

Advanced Exclusions

Advanced exclusions allow you to exclude insights so that Infinity XDR/XPR excludes them from generating future incidents. Optionally, you can also exclude insights generated in the past. If all the standaloneClosed Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. insights of an incident are excluded, then the incident is also excluded.

Note - You can also create Advanced Exclusions from the:

To create an Advanced Exclusion:

  1. Go to Policy > Exclusions.

  2. Click New.

    The New Exclusion window appears.

  3. Click the Advanced tab.

  4. From the Field list, select the insight field(s) to be excluded. Fields are the column names in the Insights & Forensics page.

  5. To add or remove a field, click + Add. The fields already selected are marked with .

    • To add, hover over the field name and click +.

    • To remove an already selected field, click the field name.

  6. In the Value field, enter the field values to be excluded. Infinity XDR/XPR applies this exclusion on insights that contain all the above fields and any of these values.

  7. Repeat steps 5 and 6 to add another field and value.

  8. (Optional) To exclude the incidents already generated based on this insight:

    1. Select the Set exclusion retroactively checkbox.

    2. In the Start date (UTC) field, select a date within the last 90 days. Infinity XDR/XPR excludes all the incidents that were generated from this date based on this insight. To revert the exclusion, see Reverting a Retroactive Exclusion.

  9. (Optional) In the Expiration date (UTC) field, select an expiration date for the exclusion. After this date, Infinity XDR/XPR generates incidents for this insight. By default, there is no expiry date for an exclusion.

  10. (Optional) In the Exclusion comment section, enter a description about the exclusion.

  11. Click Create.

The exclusion is added to the Exclusions table.

in the Start Date column indicates that the system has successfully executed the retroactive exclusion. indicates that the system failed to execute the retroactive exclusion.

Reverting a Retroactive Exclusion

You can revert a retroactive exclusion to restore the incidents excluded by this exclusion.

To revert a retroactive exclusion:

  1. Go to Policy > Exclusions.
  2. In the Exclusions table, for the exclusion you want to revert, hover over the Start Date, click and then click Revert retroactive exclusion.

    If the revert is successful, reverted message appears in the Start Date column.

    If revert fails, revert failed message appears.

Editing an Exclusion

To edit an exclusion:

  1. Go to Policy > Exclusions.

  2. Select the exclusion and click Edit.

    The Edit Exclusion window appears.

  3. Make the necessary changes for the exclusion and click Submit.

Note - You cannot edit an exclusion for which retroactive or revert operation is in progress.

Exporting Exclusions

To export the exclusions:

  1. Go to Policy > Exclusions.

  2. Click Export All (CSV).

The system downloads the report in the CSV format.